BTC $66491.5139
ETH $3184.3983
BNB $601.6419
SOL $155.6108
stETH $3185.1637
XRP $0.5495
DOGE $0.1586
TON $5.8776
ADA $0.5099
AVAX $38.8942
wstETH $3708.0998
WBTC $66518.7062
DOT $7.3764
WETH $3184.7962
TRX $0.1114
BCH $512.3077
LINK $15.4337
MATIC $0.7334
UNI $8.1252
ICP $14.9003
LTC $84.7276
DAI $0.9990
CAKE $2.9972
RNDR $9.1863
IMX $2.3935
STX $3.0458
NEAR $6.9983
ETC $28.0765
FDUSD $1.0009
MNT $1.2093
FIL $6.5339
TAO $511.7762
OKB $54.7486
HBAR $0.0893
VET $0.0421
KAS $0.1250
ATOM $8.8532
GRT $0.3029
PEPE $0.0000
WIF $2.8536
FET $2.4350
MKR $2854.7795
INJ $28.3839
THETA $2.3975
USDE $0.9992
XLM $0.1167
CORE $2.5851
BTC $66491.5139
ETH $3184.3983
BNB $601.6419
SOL $155.6108
stETH $3185.1637
XRP $0.5495
DOGE $0.1586
TON $5.8776
ADA $0.5099
AVAX $38.8942
wstETH $3708.0998
WBTC $66518.7062
DOT $7.3764
WETH $3184.7962
TRX $0.1114
BCH $512.3077
LINK $15.4337
MATIC $0.7334
UNI $8.1252
ICP $14.9003
LTC $84.7276
DAI $0.9990
CAKE $2.9972
RNDR $9.1863
IMX $2.3935
STX $3.0458
NEAR $6.9983
ETC $28.0765
FDUSD $1.0009
MNT $1.2093
FIL $6.5339
TAO $511.7762
OKB $54.7486
HBAR $0.0893
VET $0.0421
KAS $0.1250
ATOM $8.8532
GRT $0.3029
PEPE $0.0000
WIF $2.8536
FET $2.4350
MKR $2854.7795
INJ $28.3839
THETA $2.3975
USDE $0.9992
XLM $0.1167
CORE $2.5851
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Malefactors compete among themselves for cryptocurrency in Kubernetes

    Hackers gain environment privileges to eliminate competitors.

    Security company Aqua has discovered a large-scale campaign in which attackers use the Kubernetes Role Based Access Control (RBAC) policy to create backdoors and run cryptocurrency miners.

    The attackers also deployed DaemonSets to steal resources from targeted Kubernetes clusters, experts say. 60 unprotected clusters used by hackers were found.

    The chain of attacks, dubbed "RBAC Buster", began with an attacker gaining initial access through a misconfigured API server, then checking for competing miners on the compromised server, and then using RBAC to establish persistence.

    The attacker created:

    the "ClusterRole" object (describes the rights to objects in the entire cluster) with administrator-level privileges;
    the “ServiceAccount” account (designed to manage access rights to the Kubernetes API processes) and the “kube-controller” daemon in the “kube-system” namespace;
    binding "ClusterRoleBinding" (opens access to cluster entities), binding "ClusterRole" to "ServiceAccount" in order to securely and discreetly gain a foothold in the system.

    During the attack, the attacker attempted to use the AWS public access keys as a weapon to gain a foothold in the environment, steal data, and break out of the cluster.

    In the final phase of the attack, the attacker created a DaemonSet to deploy a Docker-hosted container image ("kuberntesio/kube-controller:1.0.1") to all nodes. The container, which has been downloaded 14,399 times since it was downloaded 5 months ago, contains a cryptominer.

    “The 'kubernetesio/kube-controller' container image is an example of Typesquatting that allows you to impersonate a legitimate 'kubernetesio' account. The image also mimics the popular "kube-controller-manager" container image, which is a critical control plane component that runs in a pod on each master node and is responsible for detecting and responding to node failures.

    Interestingly, some of the attack tactics bear similarities to another cryptojacking campaign that also used DaemonSets to mine the Dero coin. It is currently unclear if the two campaigns are related.

    Author DeepWeb
    Zaraza bot steals passwords from browsers using Telegram
    Updated PowerLess backdoor is actively storming Israeli organizations

    Comments 0

    Add comment